From 3c644f2c44f828f3291b857754978642b0adcf20 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Sun, 22 Feb 2026 12:02:06 -0500
Subject: [PATCH] chore: auto-commit uncommitted changes

---
 memory/claude-usage.db                 | Bin 40960 -> 40960 bytes
 memory/claude-usage.json               |  12 +-
 memory/heartbeat-state.json            |   8 +-
 memory/security-baselines/caddy.md     |  31 +++
 memory/security-baselines/forge.md     |  40 ++++
 memory/security-baselines/james-old.md |  35 +++
 memory/security-baselines/staging.md   |  43 ++++
 memory/security-baselines/zurich.md    |  40 ++++
 memory/security-scans/2026-02-22.md    | 291 +++++++++++++++++++++++++
 9 files changed, 490 insertions(+), 10 deletions(-)
 create mode 100644 memory/security-baselines/caddy.md
 create mode 100644 memory/security-baselines/forge.md
 create mode 100644 memory/security-baselines/james-old.md
 create mode 100644 memory/security-baselines/staging.md
 create mode 100644 memory/security-baselines/zurich.md
 create mode 100644 memory/security-scans/2026-02-22.md

diff --git a/memory/claude-usage.db b/memory/claude-usage.db
index dd26d43726ebe1a24828f9f8ddac064b134018c7..113e3f0cc855eaab82d1d09a8ceae379ac468302 100644
GIT binary patch
delta 241
zcmZoTz|?SnX@WFk#6%fq#)ypx^Yt0SHW{!4Fek8RO=fS{&Bl_&;>Du1u`!7`LAEK3
zjlq<Wk<rM&$V}J3NY}_H#L&#jz{twLB1(`;OtvW$Q{L3dz}U*fB1(WoRJJJuQ{KeN
zz#M2qlmL_H=B}11Zst-JxykGkp0cq7u~@LkZEVzGo}5s~<AiJ%W0)kfDHF0QV74%Z
QqRYU{XAIe#Gi3@l09Ma7LI3~&

delta 63
zcmV-F0Kor%zyg540+1U4RgoM+0adYJpDzJZvM>Zt16>4)lLvsiv4O|~vx<az3j=Zl
VY?B9&<*|W)1CwBJ46}HYhzrpj7p4FJ

diff --git a/memory/claude-usage.json b/memory/claude-usage.json
index 3aa0e8a..15b0689 100644
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-22T14:00:01.371829Z",
+  "last_updated": "2026-02-22T17:00:02.424506Z",
   "source": "api",
-  "session_percent": 0,
-  "session_resets": null,
-  "weekly_percent": 16,
-  "weekly_resets": "2026-02-28T19:00:00.346050+00:00",
-  "sonnet_percent": 20
+  "session_percent": 10,
+  "session_resets": "2026-02-22T19:00:00.358791+00:00",
+  "weekly_percent": 17,
+  "weekly_resets": "2026-02-28T19:00:00.358819+00:00",
+  "sonnet_percent": 22
 }
\ No newline at end of file
diff --git a/memory/heartbeat-state.json b/memory/heartbeat-state.json
index a6ec48d..499c915 100644
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@@ -7,13 +7,13 @@
     "news": 1771597876,
     "claude_usage": 1771597876
   },
-  "lastBriefing": "2026-02-20T14:30:00.000Z",
+  "lastBriefing": "2026-02-22T15:55:54.305561Z",
   "lastWeeklyDocker": "2026-02-22T08:33:05.950745+00:00",
   "lastWeeklyHAOS": "2026-02-22T08:33:05.950745+00:00",
   "lastWeeklyMemorySynthesis": "2026-02-22T10:05:38.031320Z",
   "lastDocInbox": "2026-02-20T14:30:00.000Z",
-  "lastTechScan": "2026-02-20T14:30:00.000Z",
+  "lastTechScan": "2026-02-22T15:55:54.305561Z",
   "lastMemoryReview": "2026-02-22T01:03:37.069142Z",
-  "lastIntraDayXScan": "2026-02-22T04:32:16.162146Z",
-  "lastInouSuggestion": "2026-02-22T02:18:11.508306Z"
+  "lastIntraDayXScan": "2026-02-22T14:33:26.869606+00:00",
+  "lastInouSuggestion": "2026-02-22T14:30:55.694675+00:00"
 }
\ No newline at end of file
diff --git a/memory/security-baselines/caddy.md b/memory/security-baselines/caddy.md
new file mode 100644
index 0000000..b167764
--- /dev/null
+++ b/memory/security-baselines/caddy.md
@@ -0,0 +1,31 @@
+# Caddy (192.168.0.2) — Security Baseline
+Established: 2026-02-22
+
+## Root SSH Authorized Keys
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+
+## Expected Users (uid>=1000)
+nobody:65534 (system)
+johan:1000
+stijn:1001 (/var/www/flourishevents — web service account, nologin equivalent)
+
+## Expected Listening Ports
+- 22 (SSH)
+- 80/443 (Caddy reverse proxy)
+- 40021 (vsftpd passive FTP)
+- 2019 (Caddy admin API — localhost)
+- 53 (systemd-resolved — localhost)
+
+## SSH Hardening
+- PasswordAuthentication: no ✅
+- PermitRootLogin: without-password ✅
+- PubkeyAuthentication: yes ✅
+
+## Known Firewall State
+UFW: ACTIVE ✅
+Rules: SSH (LIMIT from LAN), 80/443 (ALLOW), 40021 (ALLOW), 40000-40010 (ALLOW — FTP passive)
+
+## Known Issues at Baseline
+- fail2ban not active
+- vsftpd running (FTP) — known for flourishevents site
+- User `stijn` exists (/var/www/flourishevents) — web service account
diff --git a/memory/security-baselines/forge.md b/memory/security-baselines/forge.md
new file mode 100644
index 0000000..ee55b70
--- /dev/null
+++ b/memory/security-baselines/forge.md
@@ -0,0 +1,40 @@
+# Forge (192.168.1.16) — Security Baseline
+Established: 2026-02-22
+
+## SSH Authorized Keys (johan)
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1
+
+## Expected Users (uid>=1000)
+nobody:65534 (system)
+johan:1000
+
+## Expected Listening Ports
+- 22 (SSH)
+- 21 (vsftpd — known, ⚠️ review if needed)
+- 139/445 (Samba)
+- 8030 (message-bridge — all interfaces)
+- 8080 (signal-cli — all interfaces)
+- 8090 (OCR service — all interfaces)
+- 9200 (james-dashboard)
+- 9201 (docsys)
+- 9202 (Fully dashboard)
+- 9300 (dealroom)
+- 9877/9878 (node)
+- 9900 (docproc)
+- 18789 (openclaw-gateway — all interfaces)
+- 18792 (openclaw browser — localhost)
+- 11434 (ollama — localhost)
+- 8025 (message-center — localhost)
+- 13001 (SSH tunnel to zurich:3001 — localhost)
+
+## Known Firewall State
+UFW: NOT INSTALLED — ⚠️ no host firewall (relying on router/network controls)
+
+## Known Issues at Baseline
+- UFW not installed (known deficiency)
+- fail2ban not active
+- vsftpd running on port 21 — needs review
diff --git a/memory/security-baselines/james-old.md b/memory/security-baselines/james-old.md
new file mode 100644
index 0000000..bc10032
--- /dev/null
+++ b/memory/security-baselines/james-old.md
@@ -0,0 +1,35 @@
+# James-Old (192.168.1.17) — Security Baseline
+Established: 2026-02-22
+
+## SSH Authorized Keys (johan)
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+
+## Expected Users (uid>=1000)
+nobody:65534 (system)
+johan:1000
+snapd-range-524288-root:524288 (snap service — system)
+snap_daemon:584788 (snap service — system)
+scanner:1001 (SANE scanner service — system, nologin shell)
+
+## Expected Listening Ports
+- 22 (SSH)
+- 21 (FTP — known)
+- 139/445 (Samba)
+- 3389 (RDP — xrdp, known)
+- 3350 (xrdp-sesman — localhost)
+- 8025 (message-center — localhost)
+- 8030 (message-bridge — all interfaces)
+- 9200 (dashboard)
+- 1143 (Proton Bridge IMAP — localhost)
+- 1025 (Proton Bridge SMTP — localhost)
+
+## Known Firewall State
+UFW: INACTIVE — ⚠️ no host firewall
+
+## Known Issues at Baseline
+- UFW inactive (known deficiency — retired machine)
+- fail2ban not active
+- RDP (3389) exposed — known, used for remote desktop
+- 53 pending apt updates
diff --git a/memory/security-baselines/staging.md b/memory/security-baselines/staging.md
new file mode 100644
index 0000000..481ca16
--- /dev/null
+++ b/memory/security-baselines/staging.md
@@ -0,0 +1,43 @@
+# Staging (192.168.1.253) — Security Baseline
+Established: 2026-02-22
+
+## SSH Authorized Keys (johan)
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+
+## Expected Users (uid>=1000)
+nobody:65534 (system)
+johan:1000
+
+## Expected Listening Ports
+- 22 (SSH)
+- 139/445 (Samba)
+- 2283 (Immich — all interfaces)
+- 8080 (signal-cli-rest-api — all interfaces)
+- 8096 (Jellyfin — all interfaces)
+- 8123 (ClickHouse HTTP — all interfaces)
+- 9000 (ClickHouse TCP — all interfaces)
+- 18789 (openclaw-gateway — all interfaces)
+- 18792 (openclaw browser — localhost)
+- 1080 (portal)
+- 8082 (inou api)
+- 8765 (inou viewer)
+
+## Docker Containers (Known)
+- clickhouse (clickhouse/clickhouse-server)
+- immich_server (ghcr.io/immich-app/immich-server)
+- immich_machine_learning
+- immich_postgres
+- immich_redis
+- jellyfin
+- signal-cli-rest-api
+
+## Known Firewall State
+UFW: INACTIVE — ⚠️ no host firewall
+
+## Known Issues at Baseline
+- UFW inactive (LAN only, home lab — tolerated)
+- fail2ban not active
+- SSH hardening not verified (sshd -T requires root)
diff --git a/memory/security-baselines/zurich.md b/memory/security-baselines/zurich.md
new file mode 100644
index 0000000..491b05d
--- /dev/null
+++ b/memory/security-baselines/zurich.md
@@ -0,0 +1,40 @@
+# Zurich (zurich.inou.com / 82.22.36.202) — Security Baseline
+Established: 2026-02-22
+
+## Root SSH Authorized Keys
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIhEtv7t3njNoG+mnKElR+rasMArdc8DnHON22lreT7 james@james
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1
+
+## Expected Users (uid>=1000)
+nobody:65534 (system)
+harry:1000 (/var/www/harryhaasjes — web service, nologin)
+harry-web:1001 (/home/harry-web — web service, nologin)
+
+## Expected Listening Ports
+- 22 (SSH — all interfaces)
+- 25/143/587/465/993/995/110/4190 (Stalwart mail server)
+- 80/443 (Caddy)
+- 2019 (Caddy admin — localhost)
+- 2586 (ntfy — localhost, behind Caddy)
+- 3001 (Uptime Kuma — all interfaces, UFW blocks external)
+- 8080 (Vaultwarden — localhost, behind Caddy)
+- 8880/8443 (Stalwart admin — localhost)
+- 41641 (Tailscale UDP)
+
+## SSH Hardening
+- PasswordAuthentication: no ✅
+- PermitRootLogin: without-password ✅
+- PubkeyAuthentication: yes ✅
+
+## Known Firewall State
+UFW: ACTIVE ✅
+Rules: 22, 80, 443, 41641 (Tailscale), tailscale0, 25, 587, 465, 993, 143, 4190
+
+## Known Issues at Baseline
+- High SSH brute force volume — expected for public VPS, mitigated by key-only auth + fail2ban
+- Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)
+- Port 110/995 (POP3) not in UFW rules — blocked externally even though Stalwart listens
+- Docker: uptime-kuma, vaultwarden
diff --git a/memory/security-scans/2026-02-22.md b/memory/security-scans/2026-02-22.md
new file mode 100644
index 0000000..f02b7ee
--- /dev/null
+++ b/memory/security-scans/2026-02-22.md
@@ -0,0 +1,291 @@
+# Weekly Security Posture Scan — 2026-02-22
+Scan time: Sunday, February 22nd, 2026 — ~09:01 AM EST
+**FIRST RUN** — Baselines established in `memory/security-baselines/`
+
+## Summary
+
+| Host | Firewall | SSH Hardened | fail2ban | Intrusion Indicators | Overall |
+|------|----------|--------------|----------|----------------------|---------|
+| forge (localhost) | ❌ None | ✅ | ❌ | None | ⚠️ WARN |
+| james-old (192.168.1.17) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
+| staging (192.168.1.253) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
+| caddy (192.168.0.2) | ✅ UFW active | ✅ | ❌ | None | ⚠️ WARN |
+| prod (192.168.100.2) | ❓ No access | ❓ | ❓ | ❓ | ❌ UNREACHABLE |
+| zurich.inou.com | ✅ UFW active | ✅ | ✅ | Brute force (expected) | ✅ OK |
+
+---
+
+## FORGE (192.168.1.16 — localhost)
+
+### Firewall
+- ❌ **UFW NOT INSTALLED** — no host-level firewall
+- Relying entirely on network-level controls (router/UDM-Pro)
+
+### SSH Hardening
+- ✅ `PasswordAuthentication no`
+- PermitRootLogin: not explicitly set (Ubuntu default = prohibit-password ≈ key-only)
+- PubkeyAuthentication: yes (default)
+
+### fail2ban
+- ❌ **Not installed/active**
+
+### Listening Ports
+Expected ports for this host. Notable:
+- ⚠️ Port 21 (vsftpd) — FTP running as root, enabled at boot, all interfaces
+- Ports 22, 139/445 (Samba), 8030, 8080, 8090, 9200-9202, 9300, 9877-9878, 9900, 18789 — all expected
+
+### Users
+- nobody (65534), johan (1000) — **clean**
+
+### SSH Authorized Keys
+- 5 keys: james@server, johan@ubuntu2404, claude@macbook, johanjongsma@MacBook, johan@thinkpad-x1
+- **All expected** — no unknown keys
+
+### Login History
+- All sessions from 192.168.1.14 (LAN) and 100.114.238.41 (Tailscale)
+- Most recent: Sat Feb 21 — clean
+- **No failed logins**
+
+### Outbound Connections
+All legitimate:
+- IMAP to zurich:993 (message-center)
+- SSH tunnels to zurich:22
+- OpenClaw API connections
+- Signal/WhatsApp bridge
+- 192.200.0.103:443 (unknown — Anthropic CDN likely)
+
+### Cron
+- `/home/johan/clawd/scripts/claude-usage-check.sh` (hourly) — expected
+- `/home/johan/scripts/health-push.sh` (every minute) — expected
+
+### Shadow / Sudoers Perms
+- `/etc/shadow`: rw-r----- root:shadow ✅
+- `/etc/sudoers`: r--r----- root:root ✅
+
+### Security Patches
+- 0 pending security patches (apt list --upgradable | grep security returned empty)
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ⚠️ MEDIUM | UFW not installed — no host firewall |
+| ⚠️ MEDIUM | fail2ban not active |
+| ⚠️ LOW | vsftpd (FTP) running on port 21, all interfaces, root-owned process |
+
+---
+
+## JAMES-OLD (192.168.1.17)
+
+### Firewall
+- ❌ **UFW inactive** (installed but disabled)
+
+### SSH Hardening
+- sshd -T returned empty (no sudo) — hardening status unknown
+- Need root access to verify
+
+### fail2ban
+- ❌ **Not active**
+
+### Listening Ports
+Notable:
+- ⚠️ Port 3389 (RDP/xrdp) — all interfaces (0.0.0.0)
+- ⚠️ Port 21 (FTP) — all interfaces
+- Port 8030 (message-bridge) — all interfaces
+- Ports 22, 139/445, 1143/1025 (Proton Bridge — localhost), 8025 (MC — localhost), 9200 — expected
+
+### Users
+- nobody, johan, snapd-range-524288-root, snap_daemon (all snap-related — system), scanner
+- `scanner` user: uid=1001, shell=/usr/sbin/nologin, home=/home/scanner — **SANE scanner service, expected**
+
+### SSH Authorized Keys
+- 3 keys: johan@ubuntu2404, claude@macbook, james@forge — **clean**
+
+### Login History
+- Last login: Wed Feb 4 from LAN
+- Machine is mostly idle (retired)
+
+### Pending Updates
+- **53 pending apt updates** — needs attention
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ⚠️ MEDIUM | UFW inactive on a machine with exposed ports |
+| ⚠️ MEDIUM | fail2ban not active |
+| ⚠️ LOW | RDP (port 3389) exposed on all interfaces |
+| ⚠️ LOW | FTP (port 21) exposed |
+| ⚠️ LOW | 53 pending apt updates — should patch or decommission |
+
+---
+
+## STAGING (192.168.1.253)
+
+### Firewall
+- ❌ **UFW inactive**
+
+### SSH Hardening
+- Could not verify (no sudo for sshd -T) — **TODO: verify next scan**
+
+### fail2ban
+- ❌ **Not active**
+
+### Listening Ports
+LAN-accessible services (home lab — tolerated):
+- 2283 (Immich), 8080 (signal-cli), 8096 (Jellyfin), 8123/9000 (ClickHouse)
+- 18789 (OpenClaw gateway), 8082/8765/1080 (inou app)
+- 22, 139/445 (Samba)
+
+### Docker Containers
+- Immich (server, ML, postgres, redis) — ✅ Up 11+ days (healthy)
+- ClickHouse — ✅ Up 6 hours (healthy)
+- Jellyfin — ✅ Up 11 days (healthy)
+- signal-cli-rest-api — ✅ Up 11 days (healthy)
+
+### Users
+- nobody (65534), johan (1000) — **clean**
+
+### SSH Authorized Keys
+- 4 keys: claude@macbook, johanjongsma@MacBook, james@server, james@forge — **clean**
+
+### Login History
+- Most recent: Fri Feb 20 from LAN — clean
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ⚠️ MEDIUM | UFW inactive (LAN-only machine, tolerated) |
+| ⚠️ MEDIUM | fail2ban not active |
+| ℹ️ INFO | Many open ports — consistent with home lab role |
+
+---
+
+## CADDY (192.168.0.2)
+
+### Firewall
+- ✅ **UFW active** with rules:
+  - SSH limited from LAN (/22)
+  - 80/443 ALLOW any
+  - 40021/tcp ALLOW (FTP passive)
+  - 40000-40010/tcp ALLOW (FTP data)
+
+### SSH Hardening
+- ✅ `PasswordAuthentication no`
+- ✅ `PermitRootLogin without-password`
+- ✅ `PubkeyAuthentication yes`
+
+### fail2ban
+- ❌ **Not active** — public-facing host, this is a gap
+
+### Listening Ports
+- 22, 80, 443, 2019 (Caddy admin — localhost), 40021 (vsftpd), 53 (systemd-resolved)
+- All expected
+
+### Users
+- nobody, johan, stijn (/var/www/flourishevents — web service account) — **all expected**
+
+### Root SSH Keys
+- 1 key: james@forge — **clean**
+
+### Login History
+- Last interactive login: Sat Jan 31 — long ago
+- 1 failed login: james@192.168.1.16 (Mon Feb 9) — from forge, expected (James SSH auth attempt)
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ⚠️ MEDIUM | fail2ban not active on public-facing host |
+| ℹ️ INFO | Only james@forge in root authorized_keys (minimal attack surface) |
+
+---
+
+## PROD (192.168.100.2)
+
+### Status
+- ❌ **UNREACHABLE** — SSH authentication failed (too many auth failures)
+- May require specific SSH key or non-root user
+- **Action needed:** Establish access method for security scans
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ❌ UNKNOWN | Cannot scan prod — access method needed |
+
+---
+
+## ZURICH (zurich.inou.com / 82.22.36.202)
+
+### Firewall
+- ✅ **UFW active** with comprehensive rules:
+  - 22, 80, 443, Tailscale, 25/143/587/465/993/4190 (mail)
+
+### SSH Hardening
+- ✅ `PasswordAuthentication no`
+- ✅ `PermitRootLogin without-password`
+- ✅ `PubkeyAuthentication yes`
+
+### fail2ban
+- ✅ **Active** (systemctl reports active)
+
+### Brute Force Activity
+- **⚠️ HIGH volume SSH brute force detected** (20 failed attempts in ~15 min window today)
+- Example IPs: 80.94.92.164, 89.155.5.35, 20.185.243.158, 2.57.121.25, 57.128.214.238, 20.88.55.220, 101.47.163.102, 34.78.29.97, 139.59.157.104, 23.227.147.163
+- **Usernames attempted:** sol, opnsense, zookeeper, user, solana, listen, jfrog, polycom, rdp, serveradmin, borgbackup, blink, pound
+- **Risk: LOW** — password auth disabled, key-only auth, fail2ban active
+- This is expected/normal for a public VPS with port 22 open
+
+### Listening Ports
+All expected:
+- 22 (SSH), 80/443 (Caddy), 25/143/587/465/993/995/110/4190 (Stalwart mail)
+- 2019 (Caddy admin — localhost), 2586 (ntfy — localhost), 8080/8880/8443 (localhost)
+- 3001 (Uptime Kuma — all interfaces; UFW blocks external, no UFW rule for 3001)
+
+### Docker Containers
+- uptime-kuma (louislam/uptime-kuma:1) — ✅ Up 3 days (healthy)
+- vaultwarden (vaultwarden/server) — ✅ Up 12 hours (healthy)
+
+### Users
+- nobody (65534), harry (1000 — /var/www/harryhaasjes, nologin), harry-web (1001 — nologin)
+- **All expected** service accounts
+
+### Root SSH Keys
+- 5 keys: claude@macbook, james@server, james@james, james@forge, johan@thinkpad-x1 — **all expected**
+
+### Login History
+- Last interactive: root from 47.197.93.62 (Johan's home IP) — Jan 27 — clean
+
+### Findings
+| Severity | Finding |
+|----------|---------|
+| ℹ️ INFO | High SSH brute force volume — mitigated (key-only + fail2ban) |
+| ℹ️ INFO | Port 3001 (Kuma) binding 0.0.0.0 — UFW blocks externally, but should bind localhost |
+| ℹ️ INFO | POP3 (110/995) listening but not in UFW rules — consider adding or disabling |
+
+---
+
+## Action Items
+
+| Priority | Host | Action |
+|----------|------|--------|
+| HIGH | forge | Install UFW or document why host firewall isn't needed |
+| HIGH | forge | Install fail2ban |
+| MEDIUM | forge | Review vsftpd — is FTP still needed? Disable if not |
+| MEDIUM | james-old | Patch 53 pending updates, or decommission machine |
+| MEDIUM | james-old | Enable UFW or document retirement status |
+| MEDIUM | caddy | Install fail2ban (public-facing, should have brute-force protection) |
+| MEDIUM | staging | Verify SSH hardening as root |
+| MEDIUM | prod | Establish SSH access method for security scans |
+| LOW | zurich | Change Kuma to bind localhost only (`--listen 127.0.0.1`) |
+| LOW | zurich | Consider UFW rule for POP3 (995) if intentionally offered |
+
+---
+
+## No Intrusion Indicators Found
+- No unknown users on any accessible host
+- No rogue SSH keys
+- No suspicious processes
+- All login history from known IPs (LAN, Tailscale, Johan's home IP)
+- Zurich brute force — normal internet noise, all blocked
+
+---
+
+*Next scan: 2026-03-01 | Baselines: memory/security-baselines/*